0

i try to validate my login page..

all special characters are not accepted but when
i input a backslash ( \ ), an error message appears..

error in executing query..


please help how to validate it...

tnx

4
Contributors
4
Replies
5
Views
7 Years
Discussion Span
Last Post by Manuz
0

mysql_real_escape_string() will escape data for database entry.

But you don't tell us what you are doing already, show code examples or really give us any idea of what you have done so far, but I assume this will work.

0

mysql_real_escape_string() will escape data for database entry.

But you don't tell us what you are doing already, show code examples or really give us any idea of what you have done so far, but I assume this will work.

i try to code mysql_real_escape_string() but I'm having an error.. I dont know where to put the function youre trying to say.

here's the code for your reference

<?php
$errorList = array(); //holds the errors encountered

if (isset($_POST['submitted'])) { // Check if the form has been submitted.

	require_once ('database.php'); // Connect to the database.
	$database = new database();
	
	// Validate the email address.	
	if (!empty($_POST['username'])) {
		$u = ($_POST['username']);
	} else {
		$errorList[] = '<b>You forgot to enter your username!</b>';
		$u = FALSE;
	}
	
	// Validate the password.
	if (!empty($_POST['password'])) {
		$p = ($_POST['password']);
	} else {
		$p = FALSE;
		$errorList[] = '<b>You forgot to enter your password!<b>';
	}
	
	if ($u && $p) { // If everything's OK.
		$database->Connect();
		// Query the database.
			 
		$query = "SELECT userid, username, password, userdesc FROM login WHERE (UserName='$u' AND Password='$p') and DelCategory='0'";
		$result = $database->executeQuery ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
		
		if (@mysql_num_rows($result) == 1) { // A match was made.
	                $row = mysql_fetch_array ($result); 
			$database->Disconnect();
			
			session_start();
			$_SESSION['AccountType'] = $row['userdesc'];
			$_SESSION['UserName']= $row['username'];
			$_SESSION['UsersID']= $row['userid'];

			$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
			// Check for a trailing slash.
			if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
				$url = substr ($url, 0, -1); // Chop off the slash.
			}
			// Add the page.
			if ($row['userdesc']== "penafrancia")
			$url .= '/admin.php';
			
		header("Location: $url");
			exit(); // Quit the script.
				
		} else { // No match was made.
			$errorList[] = '<b>The username and password entered is invalid<b>'; 
		}
		
	}
	
	mysql_close(); // Close the database connection.

} // End of SUBMIT conditional.
?>
0

Change your query string from

$query = "SELECT userid, username, password, userdesc FROM login WHERE (UserName='$u' AND Password='$p') and DelCategory='0'";

to:

$query = "SELECT userid, username, password, userdesc FROM login WHERE (UserName='".addslashes($u)."' AND Password='".addslashes($u)."') and DelCategory='0'";

Here I added slashes for parameters before executing query to avoid the SQL injections and make the $query be valid query.

0

Use mysql_real_escape_string() for the variable holding the query, before executing the query.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.